LG is closing a security hole that makes it possible for attackers to steal chat histories and other sensitive data stored on an estimated 10 million G3 phones.
The vulnerability resides in an LG app called Smart Notice. It comes preinstalled on new LG G3 devices and displays a variety of notifications and suggestions, including recommendations to stay in touch with favorite contacts, saving recent callers' contact information, and birthday reminders. The app fails to validate data presented to users, making it possible for attackers to manipulate data such as contact information so that it executes malicious code on affected handsets.
"Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user; and enable the installation of a malicious program on the device," researchers wrote in a blog post published Thursday. "We informed LG, which responded quickly to notice of the vulnerability and we encourage users to immediately upgrade their application to new Smart Notice release, which contains a patch."